URI protocol handler: search-ms

calendar Jan 12, 2026  ·
Share on: linkedin copy

Detects HTML attachments using the search-ms URI protocol handler, a technique observed ITW to deliver malicious payloads.

This rule can be updated to analyze links in PDF attachments and message bodies

Sublime rule (View on GitHub)

 1name: "URI protocol handler: search-ms"
 2description: |
 3  Detects HTML attachments using the search-ms URI protocol handler,
 4  a technique observed ITW to deliver malicious payloads.
 5
 6  This rule can be updated to analyze links in PDF attachments and message bodies  
 7references:
 8  - "https://twitter.com/blackorbird/status/1684505999301029888?s=20"
 9type: "rule"
10severity: "high"
11source: |
12  type.inbound
13  and any(attachments,
14          .file_type == "html"
15          and any(file.explode(.),
16                  any(.scan.strings.strings,
17                      regex.contains(., 'search-ms:query.*location:\\\\')
18                  )
19          )
20  )  
21attack_types:
22  - "Malware/Ransomware"
23tactics_and_techniques:
24  - "Evasion"
25detection_methods:
26  - "File analysis"
27  - "HTML analysis"
28id: "ee27d9c0-2d7e-5f6d-85be-73f3bf5b7cb1"
to-top